Posts

Introduction

Media files have become an important part of business content. Seeing that in some environments we cannot explicitly block MP3s, how do we identify what files are business recordings, and which are (possibly illegal) music?

IsMP3Song.exe is my attempt to address this issue.

The idea is very simple, pass the filename to the tool and it returns a score indicating the confidence of it deeming the file as a commercial MP3.

The tool achieves this by doing a web-service call to iTunes and then scoring the iTunes results with the filename of the MP3.

Demo Execution

As you can see, the first couple of executions return a score because these are identified as commercial songs and the last one is scored as not commercial.

These scores are also returned by the application as an exit code, allowing return values to be used for other logic, such as email notifications or file classifications.

USING WITH POWERSHELL

Going a step further, the PowerShell snippet below can be used as a starting point to loop through folders and score all the MP3 files found.

Introduction

The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, at the time of writing, the Active Directory Group Policy section for Windows Firewall with Advanced Security does not allow for the concept of item level filter, resulting in a GPO for each policy with different filtering requirements.

For example, if a handful of servers require FTP ports to be open and another group requires RDP to be allowed, you will have to create two separate GPOs.

Over time these GPOs really add up.

The solution to this is to do “Firewall as Code” using PowerShell.

Investigation

Well-behaved applications automatically register firewall rules which means that applications will happily continue to work when the firewall is enabled.

Unfortunately, some applications do not include this as part of their install process. These applications require a manual rule to be configured.

Involve your environment application owners, especially for providing information of running processes and supplying network diagrams. I recommend, however, that you do not directly ask application owners which ports an application needs. I’ve found that if you do that, you will usually get a massive list of irrelevant ports back, mainly because application owners will just give you a list of open ports found on the application servers.

Always check that ports which are required are limited to a specific process. This way you can whitelist the application, allowing all the required ports without actually worrying which protocols or ports are required.

Prestage rules

The key to enabling Windows Firewall involves pre-staging firewall rules well in advance of actually flipping the switch. This is achieved with a PowerShell script, executed at an interval on all devices. Conditions within the script selectively create the appropriate rule.

For example, you only want MSSQL firewall rule on servers running MSSQL,

Create PowerShell Script

Although many options exist that would be able to achieve this, I picked PowerShell because of its popularity amongst Windows Administrators.

The PowerShell script to achieve this consists of the following concepts;

Environmental Variables

Global Variables

Local Variables

Conditions

Rules

Environmental Variables

Specifically, to creating path conditions and rules, it is always better to use Environmental variables if the application is installed into one of these common locations.

Global variables are variables that are used multiple times within the script thus, it makes sense to move these to the top of the file so that they are only evaluated once. The only downside to having multiple instances of these throughout the file is that the script will take longer to execute.

Application binary running (notice the local variable)

Each rule name must be unique and descriptive and if applicable to a specific protocol, add the protocol to the rule name within parentheses.

Please note: PowerShell has a powerful CMDLet called New-NetFirewallRule that vastly simplifies the addition of firewall rule. Unfortunately, older versions of PowerShell do not contain it and as such, NETSH is used because it is compatible with more devices. The downside of NETSH is that we first need to delete the rule to ensure we do not create duplicate rules on subsequent executions.

Step 2: Download Visual Studio Project

Step 3: Create database

Note: The
basic steps for creating the database are listed below. Explaining MS
SQL functionality is beyond the scope of this article, but I am happy to
answer any questions in the comments section below.

1) From the Open Project in Visual Studio, open ModelSSPR.edmx

2) Right-click on white-space on the diagram page

3) Then select Generate Database from Model as shown below

4) Save the SQL script and use it on Microsoft SQL Server to build the database schema

5) Create an MS SQL user and grant it DB owner rights

step 4: Modify config file

1) From the open project in Visual Studio

2) Replace the ADConnectionString connection string with the Active Directory LDAP string for the domain used in the Create Active Directory Service Account (Step 1)

3) Replace the SSPREntities connection string with the connection string of the database used in the Create Database (Step 3)

4) Configure ADMembershipProvider to the account created in the Create Active Directory Service Account (Step 1)

5) Replace the appSettings values with the correct information for the domain and account used in the Create Active Directory Service Account (Step 1)

Step 5: Publish Site

Please Note: Explaining
Visual Studio publishing is beyond the scope of this article, but I am
happy to answer any questions in the comments section below.

1) From the open project in Visual Studio

2) Publish site with the Visual Studio Publishing wizard

step 6: Testing Site

Registering password hints

1) Browse to site published in Publish Site (Step 5)

2) Click on Log in

3) Specify the Username and Password for the account to register for self-service password reset.

Note: Username must be in UPN format

4) Create password hints by adding questions and answers

Note: At least four hints need to be specified to utilize the self-service password reset function.

Self-Service Password Reset Request

1) Browse to the site published in the Publish Site (Step 5)

2) Click on Reset Password

3) Enter the Username for the account to reset the password for as shown below

Note: Username must be in UPN format

4) Enter answers to the security questions and provide new password

Note: Three random questions will be selected out of the hints configured

5) Click Reset Password

6) If the password was successfully reset, the following screen will display

I
hope you found this tutorial useful. You are encouraged to ask
questions, report any bugs or make any other comments about it below.

bool LogVehicleEvent(Vehicle *v){/*OwnerByte owner = v->owner;///< Which company owns the vehicle?EngineID engine_type = v->engine_type;///< The type of engine used for this vehicle.int CargoDaysInTransit = &v->cargo.DaysInTransit;///< Number of days cargo has been in transitCargoID cargo_type = this->cargo_type;///< type of cargo this vehicle is carryingbyte cargo_subtype = this->cargo_subtype;///< Used for livery refits (NewGRF variations)uint16 cargo_cap = this->cargo_cap;///< total capacityuint16 refit_cap = this->refit_cap;///< Capacity left over from before last refit.VehicleCargoList cargo = this->cargo;///< The cargo this vehicle is carryingint8 trip_occupancy = this->trip_occupancy;///< NOSAVE: Occupancy of vehicle of the current trip (updated after leaving a station).byte day_counter = this->day_counter;///< Increased by one for each daybyte vehstatus = this->vehstatus;///< Status*/

Rect coord = v->coord;///< NOSAVE: Graphical bounding box of the vehicle, i.e. what to redraw on moves.Money value = v->value;///< Value of the vehicleMoney profit_this_year = v->profit_this_year;///< Profit this year << 8, low 8 bits are fractMoney profit_last_year = v->profit_last_year;///< Profit last year << 8, low 8 bits are fractYear build_year = v->build_year;///< Year the vehicle has been built.Date max_age = v->max_age;///< Maximum ageDate age = v->age;///< Age in daysUnitID unitnumber = v->unitnumber;///< unit number, for display purposes onlyuint16 cur_speed = v->cur_speed;///< current speedDate date_of_last_service = v->date_of_last_service;///< Last date the vehicle had a service at a depot.byte breakdowns_since_last_service = v->breakdowns_since_last_service;///< Counter for the amount of breakdowns.Order current_order = v->current_order;///< The current order (+ status, like: loading)StationID last_station_visited = v->last_station_visited;///< The last station we stopped at.StationID last_loading_station = v->last_loading_station;///< Last station the vehicle has stopped at and could possibly leave from with any cargo loaded.

CONFIGURING USERRESOURCECLEANUP

c) On the Encrypt tab, enter the password for the account that will be performing the automated placement task. Encrypt it with key bRK92kDpCqpnPMEtFp1cdJXixgqOqSKFUZ and record encrypted password

d) On the Settings tab, enter the domain information, connection username and the encrypted password recorded in step c. Configure UserNameMatch to a RegEx query that will match user account format. If you do not have a specific format, use .*

e) On the UserFolderLocations tab, specify folders to monitor to redundant user data

IMPLEMENTATION

1) Computer Description Update Process

a) Delegation

To be able to update computer descriptions you need to delegate rights.

Add the following permissions to Active Directory either to the root of the domain or any other Organizational Unit. You would add it to an Organizational Unit if you only want to use this process for some computers

b) Powershell Script

Below is the Powershell script used to update the computer description.

It is important to note that you should not change the format of the message if you are planning to use my automated object placement process.

2) AutoAD

c) On the Encrypt tab, enter the password for the account that will be performing the automated placement task. Encrypt it with key 2xCJvezFBYWQPBeHy7USdajK55M8skww and record encrypted password

d) On the Settings tab, enter the domain information, connection user name and the encrypted password recorded in step 2c.

Specify which objects AutoAD should create automatically

e) Specify Active Directory information. The format for these are Subnet/Bit Mask|AD Site Name|Computer DN|User DN

Subnet/Bit Mask: The subnet and mask (in bit format) for the specific entry

AD Site: The Active Directory site to which the subnet belongs

Computer DN: The distinguished name of the organizational unit where to move computers to for computer objects in this subnet

User DN: The distinguished name of the organizational unit where to move users to for user objects in this subnet

Please Note: Ensure that you do not allow users/admins to gain any additional permissions by moving users from one container to another. The reason for this is that a user move might be forced to an incorrect OU if descriptions are tampered with.

f) Specify any user DNs that should be skipped

g) Specify any computer DNs that should be skipped

DEMO EXECUTION

After implementing ComputerDescriptionUpdate.ps1 notice how computer descriptions are automatically updated

AutoAD.exe output

Sites and subnets automatically created by AutoAD

Organizational Units automatically created by AutoAD

Object placement (example 1)

Object placement (example 2)

Object placement (example 3)

Object placement (example 4)

CONCLUSION

Using this process will keep Active Directory organized and objects in the correct Organizational Units

a) On the Encrypt tab, enter the password for the account that will be performing the cleanup task. Encrypt it with key 9hOK7AtlGOCRyBtBdhF9pnTQuk8ES176 and record encrypted password

b) On the Settings tab, enter the fully qualified domain name, cleanup account user name and the encrypted password recorded in step 4a

c) Set userCleanup to true to enable the process to clean up user accounts. Set user cleanup parameters

d) Set userDisabledOUto value recorded in step 2

e) Set computerCleanup to true to enable the process to clean up user accounts. Set computer cleanup parameters

f) Set computerDisabledOU to value recorded in step3

g) On the userExcludedDNs tab, specify any distinguished name of an organizational unit that should be excluded from the cleanup process (+ or INS to add, – or DEL to delete, Enter or double-click to edit)

g) On the computerExcludedDN stab, specify any distinguished name of an organizational unit that should be excluded from the cleanup process (+ or INS to add, – or DEL to delete, Enter or double-click to edit)

h) Schedule ADCleanup.exe to execute via a scheduled task. Upon every execution, the tool will clean up user and computer objects as per your configuration

CONCLUSION

Using this process, (or one similar) will keep Active Directory clean from the unused computer and user objects, and increases server security in the process.

4) From within this new command prompt, everything you open will open as the SYSTEM account.

EXAMPLES

Viewing NT Secrets

Open Regedit.exe and you will be able to see content of HKEY_LOCAL_MACHINE\SECURITY

This allows you to view passwords that were stored as NT Secrets

Opening SQL Server Management Studio as SYSTEM

Open SQL Management Studio and you will be able to log on with SYSTEM

This allows you to access SQL without directly having been granted SQL right yet you have administrative rights to SQL Server

You will be able to browse to any folder that only allows SYSTEM account

You can export permissions with SetACL/ICACLS to folders that administrators group might have been removed on

Kill processes that give error Access Denied when you try to terminate it with normal Administrator rights

WinDirStat/TreeSize etc.

Running something like TreeSize as SYSTEM will actually give you a better view and understanding of what is using space because you will get less access denials

Some others…

Simulate GPO start scripts

Simulate GPO based MSI installation

Diagnose why scheduled tasks that run as SYSTEM don’t run as intended

Start/stop protected services

CONCLUSION

Using this process, (or one similar) will allow you to start processes as the SYSTEM account allowing you to access parts of files system, registry and application not accessible with normal Administrative rights.